MITRE ATT&CK Technique
Description
Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the <code>info.plist</code> file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description) Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. [Hidden Window](https://attack.mitre.org/techniques/T1564/003)) or running additional commands for persistence (ex: [Launch Agent](https://attack.mitre.org/techniques/T1543/001)/[Launch Daemon](https://attack.mitre.org/techniques/T1543/004) or [Re-opened Applications](https://attack.mitre.org/techniques/T1547/007)). For example, adversaries can add a malicious application path to the `~/Library/Preferences/com.apple.dock.plist` file, which controls apps that appear in the Dock. Adversaries can also modify the <code>LSUIElement</code> key in an application’s <code>info.plist</code> file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as <code>LSEnvironment</code>, to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation: wardle chp2 persistence)(Citation: eset_osx_flashback)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2022-04-09T15:06:32.458Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may modify property list files (plist files) to '
'enable other malicious activity, while also potentially '
'evading and bypassing system defenses. macOS applications use '
'plist files, such as the <code>info.plist</code> file, to '
'store properties and configuration settings that inform the '
'operating system how to handle the application at runtime. '
'Plist files are structured metadata in key-value pairs '
"formatted in XML based on Apple's Core Foundation DTD. Plist "
'files can be saved in text or binary format.(Citation: '
'fileinfo plist file description) \n'
'\n'
'Adversaries can modify key-value pairs in plist files to '
'influence system behaviors, such as hiding the execution of '
'an application (i.e. [Hidden '
'Window](https://attack.mitre.org/techniques/T1564/003)) or '
'running additional commands for persistence (ex: [Launch '
'Agent](https://attack.mitre.org/techniques/T1543/001)/[Launch '
'Daemon](https://attack.mitre.org/techniques/T1543/004) or '
'[Re-opened '
'Applications](https://attack.mitre.org/techniques/T1547/007)).\n'
'\n'
'For example, adversaries can add a malicious application path '
'to the `~/Library/Preferences/com.apple.dock.plist` file, '
'which controls apps that appear in the Dock. Adversaries can '
'also modify the <code>LSUIElement</code> key in an '
'application’s <code>info.plist</code> file to run the app in '
'the background. Adversaries can also insert key-value pairs '
'to insert environment variables, such as '
'<code>LSEnvironment</code>, to enable persistence via '
'[Dynamic Linker '
'Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation: '
'wardle chp2 persistence)(Citation: eset_osx_flashback)',
'external_references': [{'external_id': 'T1647',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1647'},
{'description': 'ESET. (2012, January 1). '
'OSX/Flashback. Retrieved April 19, '
'2022.',
'source_name': 'eset_osx_flashback',
'url': 'https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/osx_flashback.pdf'},
{'description': 'FileInfo.com team. (2019, November '
'26). .PLIST File Extension. '
'Retrieved October 12, 2021.',
'source_name': 'fileinfo plist file description',
'url': 'https://fileinfo.com/extension/plist'},
{'description': 'Patrick Wardle. (2022, January 1). '
'The Art of Mac Malware Volume '
'0x1:Analysis. Retrieved April 19, '
'2022.',
'source_name': 'wardle chp2 persistence',
'url': 'https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf'}],
'id': 'attack-pattern--7d20fff9-8751-404e-badd-ccd71bda0236',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:00.573Z',
'name': 'Plist File Modification',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '1.0'}